CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2024/02/09 12:15 a.m.•14 views

CVE-2024-24829

Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration maintained by Sentry with version =24.1.1 contains a constrained SSRF vulnerability. A...

5.3CVSS4.9AI score0.00099EPSS

CVE•added 2024/02/08 11:44 p.m.•55 views

CVE-2024-24829

Sentry’s Phabricator integration (versions

5.3CVSS5.3AI score0.00099EPSS

Exploits0References3Affected Software1

OSV•added 2024/02/08 11:44 p.m.•15 views

CVE-2024-24829 SSRF in Sentry via Phabricator integration

4.3CVSS5.6AI score0.00099EPSS

Exploits0References5

Vulnrichment•added 2024/02/08 11:44 p.m.•14 views

CVE-2024-24829 SSRF in Sentry via Phabricator integration

4.3CVSS7.2AI score0.00099EPSS

Github Security Blog•added 2023/09/25 8:21 p.m.•27 views

gix-transport code execution vulnerability

The gix-transport crate prior to the patched version 0.36.1 would allow attackers to use malicious ssh clone URLs to pass arbitrary arguments to the ssh program, leading to arbitrary code execution. PoC: gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo' This will launch a calculator on OS...

4.1CVSS7.7AI score0.00072EPSS

Exploits0References5Affected Software1

OSV•added 2023/04/02 9:30 p.m.•9 views

GHSA-W4G6-8XQP-G92M Jenkins Phabricator Differential Plugin vulnerable to XML external entity (XXE) attacks

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control coverage report file contents for the Post to Phabricator post-build action to have Jenkins parse a crafted XML document th...

7.1CVSS8.1AI score0.01056EPSS

Github Security Blog•added 2023/04/02 9:30 p.m.•50 views

Jenkins Phabricator Differential Plugin vulnerable to XML external entity (XXE) attacks

8.2CVSS7.9AI score0.01056EPSS

Exploits0References3Affected Software1

NVD•added 2023/04/02 9:15 p.m.•11 views

CVE-2023-28683

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

8.2CVSS8.8AI score0.01056EPSS

Prion•added 2023/04/02 9:15 p.m.•9 views

Xxe

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

6.4CVSS8.1AI score0.01056EPSS

Exploits0References1Affected Software1

Cvelist•added 2023/03/23 11:26 a.m.•11 views

CVE-2023-28683

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

8.4AI score0.01056EPSS

OSV•added 2022/06/20 6:20 p.m.•4 views

MAL-2022-500 Malicious code in @phabricator/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 020e3c678f25d6e919f87597cf9a53d194002258c3c680e0c32d525e7f46937b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score

Hacker One•added 2022/05/28 6:39 p.m.•24 views

Phabricator: Deprecated owners.query API bypasses object view policy

The deprecated owners.query API does not check object view policy. A user is able to view some information about an owner package which they do not have permission to see by calling this API. Since the API is deprecated, it could just be removed. Impact An attacker is able to view some informatio...

2.2AI score

Hacker One•added 2022/05/11 9:19 p.m.•32 views

Phabricator: Conduit feed.publish API allows you to spoof other users or make it look like you have access to a restricted object

The Conduit feed.publish API allows a user to publish stories to the feed. The API accepts a parameter "type" which will be set to PhabricatorTokenGivenFeedStory and accepts JSON in the "data" parameter such as the following: "authorPHID": "PHID-USER-uyg3nn764yetx6nglnbx", "tokenPHID":...

0.9AI score

Hacker One•added 2022/05/09 12:33 a.m.•28 views

Phabricator: Slowvote and Countdown can cause Denial of Service due to recursive inclusion

Similar to 85011, if you edit a Slowvote or Countdown object and include its own object ID in the description, then it will recursively include and prevent the page from loading. mongoose Impact Denial of Service. You can include the Slowvote or Countdown object on any other object to also preven...

3.5AI score

Hacker One•added 2022/05/09 12:25 a.m.•46 views

Phabricator: Global default settings page is accessible to non-administrators

If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...

1AI score

NVD•added 2022/05/06 12:15 a.m.•8 views

CVE-2022-29171

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a callsignCommand, which is used to obtain...

7.2CVSS0.0224EPSS

Prion•added 2022/05/06 12:15 a.m.•14 views

Remote code execution

6CVSS7.2AI score0.0224EPSS

Exploits0References1Affected Software1

Hacker One•added 2022/05/05 11:54 p.m.•98 views

Phabricator: Possible to make restricted files public on Phabricator via Diffusion

Files on Phabricator are always viewable to a user if they are attached to an object that they can view. It seems Phabricator does check if you can view a file before allowing you to a attach it. If you don't have access to the file, it will just look like this F99999999999 in plaintext. It seems...

2.3AI score

OSV•added 2022/05/05 11:25 p.m.•16 views

CVE-2022-29171 Remote Code Execution in sourcegraph

6.6CVSS7.1AI score0.0224EPSS